Merge branch 'main' into java-kotlin-sensitive-logging-substring-barriers

java/ql/integration-tests/java/maven-add-exports-module-flags/pom.xml

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>com.example</groupId>
+  <artifactId>maven-add-exports-module-flags</artifactId>
+  <version>1.0-SNAPSHOT</version>
+
+  <name>maven-add-exports-module-flags</name>
+  <description>Test case: Project using --add-exports. Autobuilder should detect this and use --source/--target.</description>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <java.version>11</java.version>
+  </properties>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.11.0</version>
+        <configuration>
+          <source>${java.version}</source>
+          <target>${java.version}</target>
+          <compilerArgs>
+            <arg>--add-exports</arg>
+            <arg>jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED</arg>
+            <arg>--add-exports</arg>
+            <arg>jdk.compiler/com.sun.tools.javac.code=ALL-UNNAMED</arg>
+            <arg>--add-exports</arg>
+            <arg>jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED</arg>
+            <arg>--add-exports</arg>
+            <arg>jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED</arg>
+          </compilerArgs>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

java/ql/integration-tests/java/maven-add-exports-module-flags/source_archive.expected

@@ -0,0 +1,3 @@
+pom.xml
+src/main/java/com/example/CompilerUser.java
+target/maven-archiver/pom.properties

java/ql/integration-tests/java/maven-add-exports-module-flags/src/main/java/com/example/CompilerUser.java

@@ -0,0 +1,15 @@
+package com.example;
+
+import com.sun.tools.javac.api.JavacTool;
+
+/**
+ * Simple class that uses JDK compiler internals.
+ * This requires --add-exports flags to compile.
+ */
+public class CompilerUser {
+    public static void main(String[] args) {
+        // Use JavacTool from jdk.compiler module
+        JavacTool tool = JavacTool.create();
+        System.out.println("Compiler tool: " + tool.getClass().getName());
+    }
+}

java/ql/integration-tests/java/maven-add-exports-module-flags/test.py

@@ -0,0 +1,2 @@
+def test(codeql, java, actions_toolchains_file):
+    codeql.database.create(_env={"LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file)})

java/ql/integration-tests/java/maven-execution-specific-java-version/pom.xml

@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>com.example</groupId>
+  <artifactId>maven-execution-specific-java-version</artifactId>
+  <version>1.0-SNAPSHOT</version>
+
+  <name>maven-execution-specific-java-version</name>
+  <description>Test case: Project with execution-specific Java versions (Java 11 for main, Java 17 for test). Maven.java should detect the highest version (17) and use it for compilation.</description>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+  </properties>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.13.0</version>
+        <executions>
+          <!-- Compilation for src/main/java -->
+          <execution>
+            <id>default-compile</id>
+            <phase>compile</phase>
+            <goals>
+              <goal>compile</goal>
+            </goals>
+            <configuration>
+              <release>11</release> <!-- Java 11 for main -->
+            </configuration>
+          </execution>
+
+          <!-- Compilation for src/test/java -->
+          <execution>
+            <id>default-testCompile</id>
+            <phase>test-compile</phase>
+            <goals>
+              <goal>testCompile</goal>
+            </goals>
+            <configuration>
+              <release>17</release> <!-- Java 17 for test -->
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+    </plugins>
+  </build>
+</project>

java/ql/integration-tests/java/maven-execution-specific-java-version/source_archive.expected

@@ -0,0 +1,4 @@
+pom.xml
+src/main/java/com/example/App.java
+src/test/java/com/example/AppTest.java
+target/maven-archiver/pom.properties

java/ql/integration-tests/java/maven-execution-specific-java-version/src/main/java/com/example/App.java

@@ -0,0 +1,12 @@
+package com.example;
+
+public class App {
+    public static void main(String[] args) {
+        var message = "Hello World! Running on Java " + System.getProperty("java.version");
+        System.out.println(message);
+    }
+
+    public String getMessage() {
+        return "Hello from App";
+    }
+}

java/ql/integration-tests/java/maven-execution-specific-java-version/src/test/java/com/example/AppTest.java

@@ -0,0 +1,11 @@
+package com.example;
+
+public class AppTest {
+    public static void main(String[] args) {
+        var text = """
+            Hello
+            World
+            """;
+        System.out.println(text.strip());
+    }
+}

java/ql/integration-tests/java/maven-execution-specific-java-version/test.py

@@ -0,0 +1,2 @@
+def test(codeql, java, actions_toolchains_file):
+    codeql.database.create(_env={"LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file)})

java/ql/integration-tests/java/maven-java16-with-higher-jdk/pom.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>com.example</groupId>
+  <artifactId>maven-java16-with-higher-jdk</artifactId>
+  <version>1.0-SNAPSHOT</version>
+
+  <name>maven-java16-with-higher-jdk</name>
+  <description>Test case: Java 16 target when only Java 17+ is available.</description>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <java.version>16</java.version>
+  </properties>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.11.0</version>
+        <configuration>
+          <release>${java.version}</release>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

java/ql/integration-tests/java/maven-java16-with-higher-jdk/source_archive.expected

@@ -0,0 +1,3 @@
+pom.xml
+src/main/java/com/example/App.java
+target/maven-archiver/pom.properties

java/ql/integration-tests/java/maven-java16-with-higher-jdk/src/main/java/com/example/App.java

@@ -0,0 +1,15 @@
+package com.example;
+
+import java.util.List;
+
+/**
+ * Simple class using Java 16 features (e.g.,records).
+ */
+public class App {
+    public static void main(String[] args) {
+        Person person = new Person("Bob", 42);
+        System.out.println(person);
+    }
+}
+
+record Person(String name, int age) {}

java/ql/integration-tests/java/maven-java16-with-higher-jdk/test.py

@@ -0,0 +1,2 @@
+def test(codeql, java, actions_toolchains_file):
+    codeql.database.create(_env={"LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file)})

java/ql/integration-tests/java/maven-java8-java11-dependency/pom.xml

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>com.example</groupId>
+  <artifactId>maven-java8-java11-dependency</artifactId>
+  <version>1.0-SNAPSHOT</version>
+
+  <name>maven-java8-java11-dependency</name>
+  <description>Test case: Java 8 project with dependency requiring Java 11+</description>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <maven.compiler.source>1.8</maven.compiler.source>
+    <maven.compiler.target>1.8</maven.compiler.target>
+  </properties>
+
+  <dependencies>
+    <!-- TestNG 7.7.0 is compiled with Java 11 (class file version 55.0) -->
+    <dependency>
+      <groupId>org.testng</groupId>
+      <artifactId>testng</artifactId>
+      <version>7.7.0</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.8.0</version>
+      </plugin>
+      <plugin>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>2.22.1</version>
+      </plugin>
+    </plugins>
+  </build>
+</project>

java/ql/integration-tests/java/maven-java8-java11-dependency/source_archive.expected

@@ -0,0 +1,4 @@
+pom.xml
+src/main/java/com/example/Calculator.java
+src/test/java/com/example/CalculatorTest.java
+target/maven-archiver/pom.properties

java/ql/integration-tests/java/maven-java8-java11-dependency/src/main/java/com/example/Calculator.java

@@ -0,0 +1,11 @@
+package com.example;
+
+public class Calculator {
+    public int add(int a, int b) {
+        return a + b;
+    }
+
+    public int multiply(int a, int b) {
+        return a * b;
+    }
+}

java/ql/integration-tests/java/maven-java8-java11-dependency/src/test/java/com/example/CalculatorTest.java

@@ -0,0 +1,21 @@
+package com.example;
+
+import org.testng.Assert;
+import org.testng.annotations.Test;
+
+/**
+ * Test class using TestNG 7.7.0 which requires Java 11+.
+ */
+public class CalculatorTest {
+    @Test
+    public void testAdd() {
+        Calculator calc = new Calculator();
+        Assert.assertEquals(calc.add(2, 3), 5);
+    }
+
+    @Test
+    public void testMultiply() {
+        Calculator calc = new Calculator();
+        Assert.assertEquals(calc.multiply(3, 4), 12);
+    }
+}

java/ql/integration-tests/java/maven-java8-java11-dependency/test.py

@@ -0,0 +1,2 @@
+def test(codeql, java, actions_toolchains_file):
+    codeql.database.create(_env={"LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file)})

java/ql/integration-tests/java/maven-multimodule-test-java-version/main-module/pom.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>com.example</groupId>
+    <artifactId>maven-multimodule-test-java-version</artifactId>
+    <version>1.0</version>
+  </parent>
+  <artifactId>main-module</artifactId>
+</project>

java/ql/integration-tests/java/maven-multimodule-test-java-version/main-module/src/main/java/com/example/App.java

@@ -0,0 +1,7 @@
+package com.example;
+
+public class App {
+    public static void main(String[] args) {
+        System.out.println("Hello World!");
+    }
+}

java/ql/integration-tests/java/maven-multimodule-test-java-version/pom.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>com.example</groupId>
+  <artifactId>maven-multimodule-test-java-version</artifactId>
+  <version>1.0</version>
+  <packaging>pom</packaging>
+
+  <properties>
+    <maven.compiler.release>17</maven.compiler.release>
+  </properties>
+
+  <modules>
+    <module>main-module</module>
+    <module>test-module</module>
+  </modules>
+</project>

java/ql/integration-tests/java/maven-multimodule-test-java-version/source_archive.expected

@@ -0,0 +1,7 @@
+main-module/pom.xml
+main-module/src/main/java/com/example/App.java
+main-module/target/maven-archiver/pom.properties
+pom.xml
+test-module/pom.xml
+test-module/src/main/java/com/example/tests/TestUtils.java
+test-module/target/maven-archiver/pom.properties

java/ql/integration-tests/java/maven-multimodule-test-java-version/test-module/pom.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>com.example</groupId>
+    <artifactId>maven-multimodule-test-java-version</artifactId>
+    <version>1.0</version>
+  </parent>
+  <artifactId>test-module</artifactId>
+
+  <properties>
+    <maven.compiler.release>21</maven.compiler.release>
+  </properties>
+</project>

java/ql/integration-tests/java/maven-multimodule-test-java-version/test-module/src/main/java/com/example/tests/TestUtils.java

@@ -0,0 +1,12 @@
+package com.example.tests;
+
+// Requires Java 21: switch with pattern matching and guards
+public class TestUtils {
+    public static String analyze(Object obj) {
+        return switch (obj) {
+            case String s when s.length() > 5 -> "long";
+            case String s -> "short";
+            default -> "other";
+        };
+    }
+}

java/ql/integration-tests/java/maven-multimodule-test-java-version/test.py

@@ -0,0 +1,2 @@
+def test(codeql, java, actions_toolchains_file):
+    codeql.database.create(_env={"LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file)})

java/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 7.7.3
+
+No user-facing changes.
+
 ## 7.7.2
 
 ### Minor Analysis Improvements

java/ql/lib/change-notes/released/7.7.3.md

@@ -0,0 +1,3 @@
+## 7.7.3
+
+No user-facing changes.

java/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.7.2
+lastReleaseVersion: 7.7.3

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 7.7.3-dev
+version: 7.7.4-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/src/CHANGELOG.md

@@ -1,3 +1,16 @@
+## 1.9.0
+
+### New Queries
+
+* The `java/sensitive-cookie-not-httponly` query has been promoted from experimental to the main query pack.
+* Added a new query, `java/escaping`, to detect values escaping from classes marked as `@ThreadSafe`.
+* Added a new query, `java/not-threadsafe`, to detect data races in classes marked as `@ThreadSafe`.
+* Added a new query, `java/safe-publication`, to detect unsafe publication in classes marked as `@ThreadSafe`.
+
+### Minor Analysis Improvements
+
+* Calls to `String.matches` are now treated as sanitizers for the `java/ssrf` query.
+
 ## 1.8.2
 
 No user-facing changes.

java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql

@@ -4,7 +4,7 @@
  *              This may allow an attacker to bypass a filter or sanitizer.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.0
+ * @security-severity 4.0
  * @precision high
  * @id java/overly-large-range
  * @tags correctness

java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql

@@ -4,7 +4,7 @@
  *              interception.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.0
+ * @security-severity 4.0
  * @precision high
  * @id java/insecure-cookie
  * @tags security

java/ql/src/change-notes/2025-06-22-query-escaping.md

@@ -1,4 +0,0 @@
----
-category: newQuery
----
-* Added a new query, `java/escaping`, to detect values escaping from classes marked as `@ThreadSafe`.

java/ql/src/change-notes/2025-06-22-query-not-thread-safe.md

@@ -1,4 +0,0 @@
----
-category: newQuery
----
-* Added a new query, `java/not-threadsafe`, to detect data races in classes marked as `@ThreadSafe`.

java/ql/src/change-notes/2025-06-22-query-safe-publication.md

@@ -1,4 +0,0 @@
----
-category: newQuery
----
-* Added a new query, `java/safe-publication`, to detect unsafe publication in classes marked as `@ThreadSafe`.

java/ql/src/change-notes/2025-10-02-http-only-cookie-promote.md

@@ -1,4 +0,0 @@
----
-category: newQuery
----
-* The `java/sensitive-cookie-not-httponly` query has been promoted from experimental to the main query pack.

java/ql/src/change-notes/2025-10-22-adjust-query-severity.md

@@ -0,0 +1,5 @@
+---
+category: queryMetadata
+---
+* Reduced the `security-severity` score of the `java/overly-large-range` query from 5.0 to 4.0 to better reflect its impact.
+* Reduced the `security-severity` score of the `java/insecure-cookie` query from 5.0 to 4.0 to better reflect its impact.

java/ql/src/change-notes/2025-10-24-request-forgery-matches-sanitizer.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Calls to `String.matches` are now treated as sanitizers for the `java/ssrf` query.

java/ql/src/change-notes/2025-11-13-maven-default-java-17

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Java analysis now selects the Java version to use informed by Maven POM files across all project modules. It also tries to use Java 17 or higher for all Maven projects if possible, for improved build compatibility.

java/ql/src/change-notes/released/1.9.0.md

@@ -0,0 +1,12 @@
+## 1.9.0
+
+### New Queries
+
+* The `java/sensitive-cookie-not-httponly` query has been promoted from experimental to the main query pack.
+* Added a new query, `java/escaping`, to detect values escaping from classes marked as `@ThreadSafe`.
+* Added a new query, `java/not-threadsafe`, to detect data races in classes marked as `@ThreadSafe`.
+* Added a new query, `java/safe-publication`, to detect unsafe publication in classes marked as `@ThreadSafe`.
+
+### Minor Analysis Improvements
+
+* Calls to `String.matches` are now treated as sanitizers for the `java/ssrf` query.

java/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.8.2
+lastReleaseVersion: 1.9.0

java/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.8.3-dev
+version: 1.9.1-dev
 groups:
   - java
   - queries

java/ql/test/experimental/query-tests/quantum/examples/NonceReuse/NonceReuse.expected

@@ -1,3 +1,8 @@
+#select
+| Test.java:40:47:40:52 | ivSpec | Test.java:19:38:19:40 | val : byte[] | Test.java:40:47:40:52 | ivSpec | Nonce source is reused, see alternate sink $@ | Test.java:49:47:49:52 | Nonce | Nonce |
+| Test.java:49:47:49:52 | ivSpec | Test.java:19:38:19:40 | val : byte[] | Test.java:49:47:49:52 | ivSpec | Nonce source is reused, see alternate sink $@ | Test.java:40:47:40:52 | Nonce | Nonce |
+| Test.java:76:48:76:54 | ivSpec1 | Test.java:19:38:19:40 | val : byte[] | Test.java:76:48:76:54 | ivSpec1 | Nonce source is reused, see alternate sink $@ | Test.java:82:49:82:55 | Nonce | Nonce |
+| Test.java:82:49:82:55 | ivSpec2 | Test.java:19:38:19:40 | val : byte[] | Test.java:82:49:82:55 | ivSpec2 | Nonce source is reused, see alternate sink $@ | Test.java:76:48:76:54 | Nonce | Nonce |
 edges
 | Test.java:19:38:19:40 | val : byte[] | Test.java:20:16:20:18 | val : byte[] | provenance |  |
 | Test.java:20:16:20:18 | val : byte[] | Test.java:25:15:25:33 | getRandomWrapper1(...) : byte[] | provenance |  |
@@ -11,38 +16,41 @@ edges
 | Test.java:33:16:33:18 | val : byte[] | Test.java:63:21:63:40 | getRandomWrapper2b(...) : byte[] | provenance |  |
 | Test.java:33:16:33:18 | val : byte[] | Test.java:72:21:72:40 | getRandomWrapper2b(...) : byte[] | provenance |  |
 | Test.java:36:32:36:40 | iv : byte[] | Test.java:37:54:37:55 | iv : byte[] | provenance |  |
-| Test.java:37:34:37:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:40:47:40:52 | ivSpec | provenance | Sink:MaD:45890 |
+| Test.java:37:34:37:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:40:47:40:52 | ivSpec | provenance | Sink:MaD:1 |
 | Test.java:37:54:37:55 | iv : byte[] | Test.java:37:34:37:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | Config |
-| Test.java:37:54:37:55 | iv : byte[] | Test.java:37:34:37:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45920 |
+| Test.java:37:54:37:55 | iv : byte[] | Test.java:37:34:37:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:2 |
 | Test.java:45:21:45:40 | getRandomWrapper2A(...) : byte[] | Test.java:46:54:46:55 | iv : byte[] | provenance |  |
-| Test.java:46:34:46:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:49:47:49:52 | ivSpec | provenance | Sink:MaD:45890 |
+| Test.java:46:34:46:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:49:47:49:52 | ivSpec | provenance | Sink:MaD:1 |
 | Test.java:46:54:46:55 | iv : byte[] | Test.java:46:34:46:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | Config |
-| Test.java:46:54:46:55 | iv : byte[] | Test.java:46:34:46:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45920 |
+| Test.java:46:54:46:55 | iv : byte[] | Test.java:46:34:46:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:2 |
 | Test.java:54:21:54:40 | getRandomWrapper2b(...) : byte[] | Test.java:55:54:55:55 | iv : byte[] | provenance |  |
-| Test.java:55:34:55:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:58:47:58:52 | ivSpec | provenance | Sink:MaD:45890 |
+| Test.java:55:34:55:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:58:47:58:52 | ivSpec | provenance | Sink:MaD:1 |
 | Test.java:55:54:55:55 | iv : byte[] | Test.java:55:34:55:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | Config |
-| Test.java:55:54:55:55 | iv : byte[] | Test.java:55:34:55:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45920 |
+| Test.java:55:54:55:55 | iv : byte[] | Test.java:55:34:55:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:2 |
 | Test.java:63:21:63:40 | getRandomWrapper2b(...) : byte[] | Test.java:64:54:64:55 | iv : byte[] | provenance |  |
-| Test.java:64:34:64:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:67:47:67:52 | ivSpec | provenance | Sink:MaD:45890 |
+| Test.java:64:34:64:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:67:47:67:52 | ivSpec | provenance | Sink:MaD:1 |
 | Test.java:64:54:64:55 | iv : byte[] | Test.java:64:34:64:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | Config |
-| Test.java:64:54:64:55 | iv : byte[] | Test.java:64:34:64:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45920 |
+| Test.java:64:54:64:55 | iv : byte[] | Test.java:64:34:64:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:2 |
 | Test.java:72:21:72:40 | getRandomWrapper2b(...) : byte[] | Test.java:73:55:73:56 | iv : byte[] | provenance |  |
-| Test.java:73:35:73:57 | new IvParameterSpec(...) : IvParameterSpec | Test.java:76:48:76:54 | ivSpec1 | provenance | Sink:MaD:45890 |
+| Test.java:73:35:73:57 | new IvParameterSpec(...) : IvParameterSpec | Test.java:76:48:76:54 | ivSpec1 | provenance | Sink:MaD:1 |
 | Test.java:73:55:73:56 | iv : byte[] | Test.java:73:35:73:57 | new IvParameterSpec(...) : IvParameterSpec | provenance | Config |
-| Test.java:73:55:73:56 | iv : byte[] | Test.java:73:35:73:57 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45920 |
+| Test.java:73:55:73:56 | iv : byte[] | Test.java:73:35:73:57 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:2 |
 | Test.java:73:55:73:56 | iv : byte[] | Test.java:79:55:79:56 | iv : byte[] | provenance |  |
-| Test.java:79:35:79:57 | new IvParameterSpec(...) : IvParameterSpec | Test.java:82:49:82:55 | ivSpec2 | provenance | Sink:MaD:45890 |
+| Test.java:79:35:79:57 | new IvParameterSpec(...) : IvParameterSpec | Test.java:82:49:82:55 | ivSpec2 | provenance | Sink:MaD:1 |
 | Test.java:79:55:79:56 | iv : byte[] | Test.java:79:35:79:57 | new IvParameterSpec(...) : IvParameterSpec | provenance | Config |
-| Test.java:79:55:79:56 | iv : byte[] | Test.java:79:35:79:57 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45920 |
+| Test.java:79:55:79:56 | iv : byte[] | Test.java:79:35:79:57 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:2 |
 | Test.java:88:38:88:39 | iv : byte[] | Test.java:89:54:89:55 | iv : byte[] | provenance |  |
-| Test.java:89:34:89:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:93:51:93:56 | ivSpec | provenance | Sink:MaD:45890 |
-| Test.java:89:34:89:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:96:51:96:56 | ivSpec | provenance | Sink:MaD:45890 |
+| Test.java:89:34:89:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:93:51:93:56 | ivSpec | provenance | Sink:MaD:1 |
+| Test.java:89:34:89:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:96:51:96:56 | ivSpec | provenance | Sink:MaD:1 |
 | Test.java:89:54:89:55 | iv : byte[] | Test.java:89:34:89:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | Config |
-| Test.java:89:54:89:55 | iv : byte[] | Test.java:89:34:89:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45920 |
+| Test.java:89:54:89:55 | iv : byte[] | Test.java:89:34:89:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:2 |
 | Test.java:103:38:103:39 | iv : byte[] | Test.java:104:54:104:55 | iv : byte[] | provenance |  |
-| Test.java:104:34:104:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:107:47:107:52 | ivSpec | provenance | Sink:MaD:45890 |
+| Test.java:104:34:104:56 | new IvParameterSpec(...) : IvParameterSpec | Test.java:107:47:107:52 | ivSpec | provenance | Sink:MaD:1 |
 | Test.java:104:54:104:55 | iv : byte[] | Test.java:104:34:104:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | Config |
-| Test.java:104:54:104:55 | iv : byte[] | Test.java:104:34:104:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45920 |
+| Test.java:104:54:104:55 | iv : byte[] | Test.java:104:34:104:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:2 |
+models
+| 1 | Sink: javax.crypto; Cipher; true; init; (int,Key,AlgorithmParameterSpec); ; Argument[2]; encryption-iv; manual |
+| 2 | Summary: javax.crypto.spec; IvParameterSpec; true; IvParameterSpec; ; ; Argument[0]; Argument[this]; taint; manual |
 nodes
 | Test.java:19:38:19:40 | val : byte[] | semmle.label | val : byte[] |
 | Test.java:20:16:20:18 | val : byte[] | semmle.label | val : byte[] |
@@ -84,8 +92,3 @@ nodes
 | Test.java:104:54:104:55 | iv : byte[] | semmle.label | iv : byte[] |
 | Test.java:107:47:107:52 | ivSpec | semmle.label | ivSpec |
 subpaths
-#select
-| Test.java:40:47:40:52 | ivSpec | Test.java:19:38:19:40 | val : byte[] | Test.java:40:47:40:52 | ivSpec | Nonce source is reused, see alternate sink $@ | Test.java:49:47:49:52 | Nonce | Nonce |
-| Test.java:49:47:49:52 | ivSpec | Test.java:19:38:19:40 | val : byte[] | Test.java:49:47:49:52 | ivSpec | Nonce source is reused, see alternate sink $@ | Test.java:40:47:40:52 | Nonce | Nonce |
-| Test.java:76:48:76:54 | ivSpec1 | Test.java:19:38:19:40 | val : byte[] | Test.java:76:48:76:54 | ivSpec1 | Nonce source is reused, see alternate sink $@ | Test.java:82:49:82:55 | Nonce | Nonce |
-| Test.java:82:49:82:55 | ivSpec2 | Test.java:19:38:19:40 | val : byte[] | Test.java:82:49:82:55 | ivSpec2 | Nonce source is reused, see alternate sink $@ | Test.java:76:48:76:54 | Nonce | Nonce |

java/ql/test/experimental/query-tests/quantum/examples/NonceReuse/NonceReuse.qlref

@@ -1 +1,2 @@
-experimental/quantum/Examples/ReusedNonce.ql
+query: experimental/quantum/Examples/ReusedNonce.ql
+postprocess: utils/test/PrettyPrintModels.ql

java/ql/test/query-tests/Nullness/C.java

@@ -254,4 +254,15 @@ public class C {
       xs[0] = 42; // OK
     }
   }
+
+  public void ex19(Object t, Object x) {
+    boolean b = t != null || x != null;
+    if (b) {
+      if (t != null) {
+        t.hashCode(); // OK
+      } else {
+        x.hashCode(); // OK
+      }
+    }
+  }
 }